A study by endpoint security pros Code42 has shown that IT decision makers (ITDMs) are close to losing the trust of workers in the rest of their organisations.
67% of the 1500 knowledge workers surveyed do not believe their company has a clearly defined BYOD policy – yet 65% of the c. 400 ITDMs asked the same question think to the contrary. So what’s going on?
well considering 42% of all corporate data is currently eld on endpoint devices, outside the traditional security parameters and 1 in 4 knowledge workers don’t trust their IT teams/employers with their personal data, the situation is ripe to be capitalised on by cyber criminals.
We caught up wth Rick Orloff, Code42’s Chief Security Officer, to gain further insight, and here’s what he told ITSG:
GURU: Why would ITDMs and knowledge workers have this difference in understanding over BYOD policy and what can be done to bridge the gap?
Rick Orloff: It often comes down to lack of communication. Unfortunately, many IT departments operate in a silo, giving the impression to the rest of the organisation that they simply ‘keep the lights on’ as technology service providers. The policies and safeguards they implement have exponential business value, yet IT struggles to communicate that value to the rest of the organisation. IT teams must lean on lines of business managers to help build awareness and enforce policies in the interest of enterprise data protection and security. Doing so will position themselves as a technology business partner enabling remote computing capabilities. They will be seen as a collaborative partner instead of a barrier.
GURU: How can we build up trust in our IT teams?
Rick Orloff: More communication between IT and business departments is the key. With a deeper understanding of why IT does what it does to protect enterprise data, lines of business managers and end users will adopt data safeguards. There should be a cross-functional InfoSec steering committee with senior stakeholders that align on strategies and risk mitigation issues. This will also help prevent unauthorised ‘shadow IT’ practices as well as provide support from the executives.
GURU: Should we trust anyone with our personal data? If it’s a necessity, how can we minimise the amount of data needed to be retained for the effective operation of the company?
Rick Orloff: All entities are on a “need-to-know basis.” Personal data should only be shared “if” required. That said, enterprises have a duty of care to monitor how and where data is accessed. In modern organisations, it’s essential to provision end-users with the appropriate technology that will protect data outside of the perimeter. The best endpoint protection solutions centralise data on a single platform, which gives security teams full visibility and control, as well as the ability to detect, respond and remediate breaches or other data security incidents. These solutions offer controls for the amount and types of end-user data to back up—some organisations want and need to retain more data than others.
GURU: Where should we keep our data, if not on endpoint devices?
Rick Orloff: Today it’s no longer realistic to say that data won’t also be available on the endpoint. It’s how employees work and there’s no reasonable way around that. To stay productive, end users want and need access to their data—both corporate and personal—while they’re mobile and/or working remotely. If IT doesn’t provide the right tools, they will simply find a way around IT’s data security measures. Data can and should be stored at the endpoint, but it must be secured and backed up (to the cloud or on-premises) so the company has control and visibility of its data—no matter where or how its employees are working.
GURU: How can we elevate the role of CISOs etc to make them more respected as a key component in keeping a business running?
Rick Orloff: Due to the many high-profile breaches and widespread fear of ransomware, the CISO role has grown in importance and taken its place on the executive team and in the boardroom. Recently, boards realise the importance of data security in the enterprise, and are looking to the CSO and CISO to keep operations running smoothly and safely. It’s also imperative that the CISO work closely with the rest of the C-suite, such as the CMO and CFO, on strategies to mitigate risk across the enterprise.
